#Invincea : FreeSpace & Cynomix


I've had a couple of days to play with Invincea 'Freespace' and i believe this could be a contender to join the coalition in killing or at least challenging traditional AV, a battle which is growing long in the tooth.

FreeSpace is the client technlogy behind the corporate name of Invicea and is a combination of a 3 tier platform of client, server and cloud - of which the 'Cloud' platform is a community source of collated threats analysed by Invincea and then correlated with the intelligence or the ' Threat Data ' gathered by the 'Managment Server ' which links to Threatgrid intelligence also.

Management Server

This is where i managed the reporting and samples submitted. FreeSpace captures the forensics information and its fed to the Management server where i viewed the following :

  • Full auditing of all changes
  • Backup and restore 
  • Dashboards & reporting
  • Timelines of attacks
  • Registry changes
  • Processes launched
  • Inbound & outbound connectivity
  • Infection sources ( GeoIP )

There is optional vendor integration with Splunk, ArcSight, McAfee ePO & iSight as well as others.


The client part of the solution works on a 'Secure Virtual Container' technology,its enevitable that both Bromium & Invincea will be discussed when mentioning this technology, they are in the same ' user space ' separated only by vendor buzz words. Invincea do not present this technology as a 'silver bullet'. Some Enterprises are still adapting to VDI - i can't imagine this being an easy sell despite the glaring technical benefits.

Image courtesy of Invincea


FreeSpace sits on the client, and has application support for :

  • PDF
  • Flash
  • Microsoft Excel, Word, Powerpoint & Outlook 'Helper' apps 2010,2013
  • Silverlight
  • Java 1.6 1.7+

It also has OS support for 

  • Windows XP x86
  • Windows 7 x86 & x64
  • Windows 8 & 8.1 x86 & x64

I tested FreeSpace on a SP1 version of x64 Windows 7 

FreeSpace v malicious Flash serving website

Invincea works on 4 distinct principles

- Containment, Invincea creates a virtual sandbox which exists on the desktop
- Detection, A behaviorial detection engine monitors the sandbox to spot any malicious behavior
- Breach Prevention, Malicious activity when detected, is captured inside the sandbox
- Intelligence, All 'unauthorised' attacks are uploaded to the Invincea Management Server

Invincea provided me a Linux Virtual machine with contains the Cynomix command line tools for investigating forensic level analysis of some samples, similar in the respects to Didier Stevens tools in parsing and interrogating the samples. The ability to submit samples does not require an active internet connection according to Invincea, critically this helps in ensuring some confidentiality in analysing threats in the respect of deciding whether it may be a campaign or not.

The web front end is an attractive collection of intelligence, including string analysis and .dll capabilities displayed out and correlated with similar threats.

The back end Cynomix Virtual Machine is command line driven and includes capabilities which 'drive' the web front end.

  • Cycrowd - Correlates languages discovered in samples strings to 'predict' capabilities a sample has
  • Cysig - Critically, this generates a Yara signature for malware samples using a statistical method that allows invincea to include in the signature based on rarity
  • Cynet - a network tool used to identify and visualize relationships between malware samples based on the string relationships

Example of a sample being analysed by Cycrowd 


Having used it for little over a week, i can't help but think that modern AV has to fear technologies like this, the only challenge Bromium & Invincea have is integration with modern platforms. An example is a Co.  still adopting VDI as a solution will find this a step too far, modern AV sits in a long line of settled and comfortable adoptees IE: HP Partner supplied their laptops with Symantec, Dell promote AVG, SonicWall & Trend Micro.

Consumers - Commercial and private don't know any better than to choose one AV over another, why should they then proceed to choose a 'Microvisor' - This is the challenge.

AV is everywhere including at home, office, smartphone - this is something that is a growing technical achievment along with other vendors in virtualisation such as AppSense - it's a a difficult market to break down, but in the long run AV has a competitor, and thats good for users.